From b7c6a0b6373326868200abe62968668e4100b589 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Tue, 7 Sep 2021 19:47:26 +0530 Subject: [PATCH] HBASE-26228 updateRSGroupConfig operation should be authorized by AccessController (#3633) Signed-off-by: Duo Zhang Signed-off-by: Baiqiang Zhao --- .../hbase/security/access/AccessController.java | 7 +++++++ .../hadoop/hbase/rsgroup/TestRSGroupsBase.java | 16 ++++++++++++++++ .../hbase/rsgroup/TestRSGroupsWithACL.java | 10 ++++++++++ 3 files changed, 33 insertions(+) diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java index 5ed12c44cd1..0b8d7e4b78c 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java @@ -2617,4 +2617,11 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor, accessChecker.requirePermission(getActiveUser(ctx), "renameRSGroup", null, Permission.Action.ADMIN); } + + @Override + public void preUpdateRSGroupConfig(final ObserverContext ctx, + final String groupName, final Map configuration) throws IOException { + accessChecker + .requirePermission(getActiveUser(ctx), "updateRSGroupConfig", null, Permission.Action.ADMIN); + } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java index 10bd3866e39..d0521c5ae4f 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsBase.java @@ -342,6 +342,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration { boolean postGetConfiguredNamespacesAndTablesInRSGroupCalled = false; boolean preRenameRSGroup = false; boolean postRenameRSGroup = false; + boolean preUpdateRSGroupConfig = false; + boolean postUpdateRSGroupConfig = false; public void resetFlags() { preBalanceRSGroupCalled = false; @@ -374,6 +376,8 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration { postGetConfiguredNamespacesAndTablesInRSGroupCalled = false; preRenameRSGroup = false; postRenameRSGroup = false; + preUpdateRSGroupConfig = false; + postUpdateRSGroupConfig = false; } @Override @@ -548,5 +552,17 @@ public abstract class TestRSGroupsBase extends AbstractTestUpdateConfiguration { String newName) throws IOException { postRenameRSGroup = true; } + + @Override + public void preUpdateRSGroupConfig(final ObserverContext ctx, + final String groupName, final Map configuration) throws IOException { + preUpdateRSGroupConfig = true; + } + + @Override + public void postUpdateRSGroupConfig(final ObserverContext ctx, + final String groupName, final Map configuration) throws IOException { + postUpdateRSGroupConfig = true; + } } } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java index fb6292c8a89..5649242e3be 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/rsgroup/TestRSGroupsWithACL.java @@ -333,6 +333,16 @@ public class TestRSGroupsWithACL extends SecureTestUtil { validateAdminPermissions(action); } + @Test + public void testUpdateRSGroupConfig() throws Exception { + AccessTestAction action = () -> { + checkPermission("updateRSGroupConfig"); + return null; + }; + + validateAdminPermissions(action); + } + private void validateAdminPermissions(AccessTestAction action) throws Exception { verifyAllowed(action, SUPERUSER, USER_ADMIN, USER_GROUP_ADMIN); verifyDenied(action, USER_CREATE, USER_OWNER, USER_RW, USER_RO, USER_NONE, USER_GROUP_READ,